kursh / simpleunpacker Goto Github PK
View Code? Open in Web Editor NEWThis project forked from cr4sh/simpleunpacker
Simple tool for unpacking packed/protected malware executables.
Home Page: http://d-olex.blogspot.com/
This project forked from cr4sh/simpleunpacker
Simple tool for unpacking packed/protected malware executables.
Home Page: http://d-olex.blogspot.com/
SIMPLE UNPACKER PoC Tool by Oleksiuk Dmytro (aka Cr4sh), Esage Lab http://d-olex.blogspot.com/ mailto:[email protected] ================================= This tool designed for semi-automation unpacking of malware samples, by the following way: 1) Creates malware process with CreateProcess() and PROCESS_DEBUG flag. 2) Dispatching debug events, and setting breakpoints on some APIs, that calls somewhere in unpacked malware body. 3) When breakpoint occurs -- tool performs dumping of unpacked malware executable image. Of course, to use it you must know what exactly API calls in unpacked malware body, to set breakpoint (unpacking marker) on them. USAGE: > SimpleUnpacker.exe <input_file> --bp <module>!<function> For setting breakpoints on many functions, you can use multipile --bp keys in command line options. Unpacked binary will be saved in dumped.exe, you can load it into the IDA Pro, or into yor own process (with LoadLibraryEx() + DONT_RESOLVE_DLL_REFERENCES) for further researching. Exampe of unpacking SpyEye trojan dropper: ------------------------------------------------------------------- C:\> SimpleUnpacker.exe dropper.exe --bp kernel32.dll! CreateToolhelp32Snapshot [+] Breakpoint: kernel32.dll!CreateToolhelp32Snapshot() [+] Process command line: "dropper.exe" CREATE_PROCESS: ImageBase=0x00400000, StartAddress=0x00420090 DLL_LOAD: 0x7c900000 "ntdll.dll" DLL_LOAD: 0x7c800000 "C:\WINDOWS\system32\kernel32.dll" [+] Breakpoint on kernel32.dll!CreateToolhelp32Snapshot() has been set: 0x7c865b1f DLL_LOAD: 0x7e410000 "C:\WINDOWS\system32\USER32.dll" DLL_LOAD: 0x77f10000 "C:\WINDOWS\system32\GDI32.dll" DLL_LOAD: 0x73000000 "C:\WINDOWS\system32\WINSPOOL.DRV" DLL_LOAD: 0x77dd0000 "C:\WINDOWS\system32\ADVAPI32.dll" DLL_LOAD: 0x77e70000 "C:\WINDOWS\system32\RPCRT4.dll" DLL_LOAD: 0x77fe0000 "C:\WINDOWS\system32\Secur32.dll" DLL_LOAD: 0x77c10000 "C:\WINDOWS\system32\msvcrt.dll" DLL_LOAD: 0x3d930000 "C:\WINDOWS\system32\WININET.dll" DLL_LOAD: 0x77f60000 "C:\WINDOWS\system32\SHLWAPI.dll" DLL_LOAD: 0x78130000 "C:\WINDOWS\system32\urlmon.dll" DLL_LOAD: 0x774e0000 "C:\WINDOWS\system32\ole32.dll" DLL_LOAD: 0x77120000 "C:\WINDOWS\system32\OLEAUT32.dll" DLL_LOAD: 0x3dfd0000 "C:\WINDOWS\system32\iertutil.dll" EXCEPTION_BREAKPOINT at 0x7c90120e CREATE_THREAD: StartAddress=0x00000000 DLL_LOAD: 0x76390000 "C:\WINDOWS\system32\IMM32.DLL" DLL_LOAD: 0x773d0000 "C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_65 95b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll" CREATE_THREAD: StartAddress=0x7c8106e9 EXCEPTION_BREAKPOINT at 0x7c865b1f [+] Breakpoint occurs: kernel32.dll!CreateToolhelp32Snapshot [+] Dumping image 0x00400000 Size=0x0007d000 Fixing FileAlignment 0x00000200 -> 0x00001000 Fixing section raw address 0x00000400 -> 0x00001000 Fixing section raw address 0x00000400 -> 0x00040000 Fixing section raw address 0x00021600 -> 0x00062000 [+] Image dumped to "dumped.exe" DONE -------------------------------------------------------------------
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.